Security News This Week: Kanye's Password Literally Couldn't Be Worse

It has not been a good week for Google or Facebook. The week started with Google announcing it was finally putting the sorry social media network Google + out of its misery—not because it had lost the social wars to Facebook, but because it had exposed the data of 500,000 of its users, and Google hadn't disclosed it. And the week ended with Facebook explaining how 30 million of its users got hacked.

If you have a Facebook account, you can follow our instructions here to safely find out if you were and how bad it was. Both the Google and Facebook breaches are a great example of the conundrum facing companies who get hacked: What’s the right way to disclose a privacy breach? Lily Hay Newman explains how lawmakers are trying to answer that question.

Bad cybersecurity news wasn’t confined to Silicon Valley. The Government Accountability Office issued a blistering report on the cybersecurity of the Department of Defense’s military weapons systems. The report issued a horrifying conclusion: “DoD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.” And we took a look at some clever cryptomining malware that goes ahead and installs a real Adobe Flash update for you.

Then Garrett Graff has the inside story of how the United States used a Chinese spy to force the nation of China to quit stealing US trade secrets. It’s an amazing tale, and read.

And there's more! As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

After MAGA-hat-wearing husband to Kim Kardashian visited the White House to talk about hydrogen planes and his love of the patriarchy on Thursday, the phrase “Cancel Kanye” trended across the internet. People were upset about Kanye’s opinions on slavery, and women, and men, and mental health, and the constitution, and hats, and lots of other things. Late night comedians had a field day, and of course the internet lost its collective mind. But the cybersecurity community was up in arms about something else: With cameras pointed directly at him from every angle, Kanye unlocked his iPhone on live television, revealing his password for all to see. Now, that’s bad enough op-sec as it is, but it gets worse when you realize is password is—or hopefully was—literally 00000. People naturally tweeted about how bad an idea that is, and then some legal scholars wondered if doing so was a violation of the Computer Fraud and Abuse Act. The whole thing was a mess. And sums up perfectly how surreal 2018 is. But the main takeaway is: Don’t be like Kanye. In any way. Especially not when it comes to cybersecurity.

Speaking of Donald Trump, lawyers for his 2016 presidential run argued in court this week that it was legal for the campaign to use the contents of the hacked DNC emails to help get Trump elected, so long as he and the campaign weren't the ones who stole them, and the information was a matter of public concern.

Rick Gates, who at the time was a top Trump campaign official, reportedly asked an Israeli company to draw up plans for fake online identities that the campaign could use in a manipulation plot to help clinch the Republican nomination for Trump and beat, Hillary Clinton, according to the New York Times. The request happened after Russia’s disinformation campaign was already underway, according to the report. Documents the Times saw indicate Gates believed disinformation campaigns could be helpful to Trump. One of the apparent proposals was intended to target 5,000 election delegates—to switch them from voting for Ted Cruz to voting for Trump. Another allegedly focused on Hillary Clinton, and yet another was pitched as a broad campaign to foment and amplify divisions among Trump’s opponents.

If you have a boat, congratulations! That seems like a nice, calm lifestyle, a great way to escape the news cycle and the aforementioned surreality of 2018. I hate to be the bearer of bad news, though, but if you happen to own a navigation system from Garmin-owned Navionics, that you may have a problem on your hands. An exposed database for the navigation company put the personal data of hundreds of thousands of customers at risk. The company says it has since patched the vulnerability.

Not all heroes wear capes. Some are regular old Russian server administrators going by the name Alexey, secretly breaking into your insecure MicroTik routers and patching security holes to save them from the Fancy Bear hacking group's notorious VPNFilter malware. Thanks, Alexey! The gray-hat hacker claimed he has fixed 100,000 routers, boasting about it on Russian blog.

A vulnerability in WhatApp video calls allowed hackers to hijack accounts. After ZDNet broke the news, Facebook announced it had fixed the problem. The bug was discovered in August, and fixed in October.